Microsoft investigates possible leak that enabled hackers to exploit Exchange

Microsoft is investigating whether a hacker got hold of confidential research on the recently-discovered Exchange Server vulnerabilities through at least one of its security partners.

The Wall Street Journal says Microsoft is trying to explain how an attack limited to one threat actor spread to others just before the tech giant sent out a software fix to customers on March 2. When Microsoft first disclosed the four vulnerabilities that enabled on-premise versions of Exchange to be compromised, the company said a China-based group called Hafnium was exploiting the holes. After Microsoft issued a patch, other groups were detected using the exploit to install web shells and back doors.

However, not long after the disclosure, ESET said it discovered four other threat actors had been using the exploit before Microsoft’s patch was released, suggesting those groups didn’t reverse engineer the Microsoft patch.

According to the Journal, Microsoft had shared some threat information about the vulnerabilities with security partners before March 2. Microsoft is reportedly considering the possibility of a partner inadvertently – or intentionally – leaking information because some of the tools used in the second wave of attacks at the end of February are similar to the “proof of concept” attack code Microsoft distributed in confidence.

Meanwhile security experts continue to parse the techniques used in what some are calling the ProxyLogon attack. Researchers at Trustwave’s SpiderLabs released a report this morning on Hafnium’s web shell after it compromises Exchange Severs.

Known as the Chinese Chopper web shell, it’s an Active Server Page Extended (ASPX) web shell typically planted on an Internet Information Services (IIS) server through an exploit to execute code such as downloading and uploading files, the report notes. Typically the shell is just one line and there are multiple versions for executing code in different languages such as ASP, ASPX, PHP, JSP, and CFM. It’s a web shell that’s been used for years.

“When examining servers for signs of compromise, in addition to ASPX scripts, be aware also of the corresponding DLLs generated by ASP.NET runtime,” says the report.

DearCry ransomware analysis

Separately, Sophos offered insight into the DearCry ransomware that a threat group is hitting ProxyLogon victims with. From an encryption-behaviour view, DearCry is a ‘Copy’ ransomware, noted Mark Loman, director of Sophos’ engineering technology office. It creates encrypted copies of the attacked files and deletes the originals. This causes the encrypted files to be stored on different logical sectors, allowing victims to potentially recover some data – depending on when Windows reuses the freed logical sectors. Human-operated ransomware like RyukREvil, BitPaymer, Maze and Clop, are ‘In-Place’ ransomware. The attack causes the encrypted file to be stored on logically the same sectors, making data recovery via undelete tools impossible.

DearCry’s encryption is based on a public-key cryptosystem, says Sophos. The public encryption key is embedded in the ransomware binary, meaning it does not need to contact the attacker’s command-and-control server to encrypt your files. Microsoft Exchange servers that are set up to only allow internet access for the Exchange services will still become encrypted. Without the decryption key (which the attacker owns), decryption is impossible.

“WannaCry was also a Copy ransomware. DearCry not only shares a similar name but also has an eerily similar file header,” Loman wrote. “Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Microsoft Exchange patches. If this is not possible, the server should be disconnected from the internet or closely monitored by a threat response team.

While IT administrators are quickly installing Microsoft’s patches to cover supported and unsupported versions of Exchange it’s believed there are still thousands of unpatched installations.

According to Check Point Software, the number of attempted ProxyLogin attacks has increased tenfold from 700 on March 11 to over 7,200 as of this morning.

The country most attacked has been the United States (17 per cent of all exploit attempts), followed by Germany (six per cent), the United Kingdom (five per cent), The Netherlands (five per cent) and Russia (four per cent).

The most targeted industry sector has been government/military (23 per cent of all exploit attempts), followed by manufacturing (15 per cent), banking and financial services (14 per cent), software vendors (seven per cent) and healthcare (six per cent).

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now